Can a CT scan be hacked? New research pushes doctors to patch their imaging devices

Share

Written by

Health care providers and manufacturers of medical imaging devices (MIDs) need to be more vigilant when it comes to protecting their equipment, researchers from Ben-Gurion University say in a new research paper.

The paper, published this month, details how researchers found that the devices are particularly vulnerable to threats that can ultimately result in harm to patients.

“MIDs are increasingly connected to hospital networks, making them vulnerable to sophisticated cyber-attacks targeting the devices’ infrastructure and components, which can disrupt digital patient records, and potentially jeopardize patients’ health,” the paper’s abstract says.

At particular risk are computed tomography (CT) machines because of their widespread use in acute care imaging, the researchers say. The researchers simulated cyberattacks on machines that conduct CT scans and their host computers and came away with several major risks.

By gaining access to the configuration files on a CT machine’s host computer, hackers can change the way a scan is carried out. Hackers could in theory alter the mechanical behavior of different motor components of a device, which could mess up a scan or even physically harm a patient.

A more sophisticated attack, the researchers say, could digitally alter a scan’s output or assign a scan to the wrong patient.

The authors also noted that a device’s host computer can be susceptible to ransomware attacks. In May 2017, the widespread WannaCry ransomware attack disrupted operations in hospitals across the United Kingdom. The attack affected Windows computers, and while Microsoft had released relevant vulnerability patches months prior, many of the computers had not been updated.

“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” said Tom Mahler, an author on the paper. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.”

Mahler explained to CyberScoop in an email that any change in a medical imaging device must be approved by the Food and Drug Administration, which can be a lengthy process. He added that if a health organization’s IT team doesn’t regularly deploy security updates, it affects the security of the whole organization. But they can often be helpless to do so because of strict regulation, Mahler said.

The authors predict that cyberthreats against medical equipment will increasingly become a challenge for the health care industry, but say that it has been difficult for practitioners keep up defenses.

“CTs and MRI systems are not well designed to thwart attacks,” lead author Dr. Nir Nissim said in a release. “The MID development process, from concept to market, takes three to seven years. Cyber threats can change significantly over that period, which leaves medical imaging devices highly vulnerable.”

In the future, the researchers hope to present a machine learning technique that can detect anomalies in a device’s operation and notify a user that the device might be compromised.

The paper was presented by researchers at Malware Lab, part of BGU’s Cyber Security Research Center.